1. Home
  2. Cisco Systems
  3. ASA and AAA-Server

ASA and AAA-Server

Hi,

I have a ASA which authenticates against an AAA-Server. The Server is located on the interface named "abc". So the server is added to the ASA config with the command

"aaa-server SERVER-GROUP (abc) host 1.2.3.4"

Now if the connection to the server over the abc Interface is broken the server is reachable via a backup link over Interfac "def". But the ASA doesn't use this link for authentication request cause the config says that it must be reachable over interface "abc" and not "def". An idea how to get the ASA to use the backup interface?

Best Regards hub

Reply to
helmers
Loading thread data ...

the traffic for host 1.2.3.4 is getting routed through the interface abc, not def, therefor i believe their is no way to make it work unless you add a route statement to put the traffic out def when you need to use that interface.

shawn

Reply to
b3nder

the traffic for host 1.2.3.4 is getting routed through the interface abc, not def, therefor i believe their is no way to make it work unless you add a route statement to put the traffic out def when you need to use that interface.

shawn

Reply to
b3nder

You might be having a problem with PFS (perfect forward secrecy..) i forget if the pix's have it by default but i believe the ASA's do...

try doing this on the asa 5505: no crypto map outside_map 1 set pfs...

you could also add more cryptomap's to make sure those are matching..

from the error's it appears as though it is completed phase 1 and running into problems with phase 2..

shawn

Reply to
b3nder

Hi Shawn,

no it is not a routing problem. In the case of a broken connection over abc the route entries change to def. The Problem I think is the interface definition in the aaa-server statement which says that the server have to be reachable over abc. Any other idea to solve this?

Best Regards hub

Reply to
helmers

I assume you have tried to add aaa-server SERVER-GROUP (def) host 1.2.3.4 -- or what error message do you get when you add this?

in one of our running config's ... aaa-server Entias01 protocol radius aaa-server server-group (inside) host 1.2.3.4 key ******* aaa-server server-group (inside) host 2.3.4.5 key *****

i don't see any reason why you can't change(add) the (interface) def.. then it would try the first aaa-server in the group, if it fails, try the next.

i guess i didn't realize the ASA's were capable of 'state routing' all of our asa's have routes out of specific interfaces...

shawn.

Reply to
b3nder

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.